Data protection in Austria: first warning and then fine?

von Nadja-Maria

Data protection in Austria does not work without the GDPR! The Austrian data protection supervisory authority clarifies the relationship between the data protection sanctions. In Austria, too, it is not mandatory that in the event of a data protection breach, a data protection warning must first be issued and a second breach may only be punished with a fine. Rather, a fine is possible even for the first breach.

Choice of sanction options

The General Data Protection Regulation (GDPR) basically keeps the choice of sanction options open. It is not mandatory which data protection violation must be punished by the supervisory authorities with which type of sanction. Rather, a comprehensive catalog of sanctions is available to the supervisory authorities. This enables an effective and in individual cases appropriate reaction to a violation of the provisions of the GDPR.

The GDPR is intended to ensure uniform application across Europe and effective implementation of data protection regulations. That is why there is no individual regulation by the individual member states in this area, e.g. through an opening clause.

Data protection in Austria: §11 Data Protection Act

Section 11 of the Austrian Data Protection Act now states that the Austrian supervisory authority should be bound when selecting a sanction to the extent that a data protection warning must be issued if the provisions of the GDPR are violated for the first time. In this way the Austrian legislature probably wanted to protect the domestic economy from excessive financial burdens.

Opinion from the Austrian supervisory authority

In its current newsletter (issue 2/2020), the Austrian supervisory authority now makes it clear that the entire catalog of sanctions of the GDPR may also be applied in Austria in the event of a first-time violation.

The background to this is that the nation states do not have an opening clause available to guide the selection of an appropriate sanction by the supervisory authorities in a way that deviates from the provisions of the GDPR. As a result, § 11 DSG violates the GDPR and is not applicable due to the priority of application of European laws.


The clarification from the Austrian supervisory authority is expressly to be welcomed. This makes it clear once again that the member states cannot relax the basic provisions of the GDPR in national data protection laws.

Keeping an eye on the constantly changing data protection framework and interpreting it correctly at all times is a challenge for many companies. We would be happy to provide you with an external data protection officer for your company or advise you on a fee basis. Our team, consisting of lawyers, data protection and IT security officers, will be happy to help you. Call us on 08505 919 27-0 or fill out our contact form. We are happy to help!


Nadja-Maria leitet unser Inhouse-Juristen-Team. Sie studierte an der Universität Passau Rechtswissenschaften mit anschließendem Referendariat sowie erstem und zweitem Staatsexamen. Ihr Spezialgebiet ist Datenschutzrecht. Ihr fundiertes Wissen hält sie jederzeit aktuell. Für unsere Kunden und unser Team hat sie so immer einen Rat für eine passgenaue Lösung parat.